6,632 research outputs found
Password Authentication Key Exchange Mechanism using Identity Based System
In digital world various authentication techniques are used, password authentication is one of the traditional technique. Many improvements are made in password authentication techniques as only password authentication cannot withstand today?s attack. One of the password authentication technique is two-server password authentication. In two-server password-authenticated key exchange (PAKE) protocol, a client splits its password and stores two shares of its password in the two servers, respectively, and the two servers then cooperate to authenticate the client without knowing the password of the client. In case one server is compromised by an adversary, the password of the client is required to remain secure. Research work proposed two servers that stores two shares of identity password in encrypted format. The two shares of passwords will be stored in such a way that identity password will be reformed with the help of any user defined algorithm. Along with password authentication, here idea is to implement identity based on encryption technique to encrypt the documents and messages. Proposed system will prevent dictionary, shoulder surfing, and key logger attacks
Universally Composable Two-Server PAKE
Two-Server Password Authenticated Key Exchange (2PAKE) protocols apply secret shar-ing techniques to achieve protection against server-compromise attacks. 2PAKE protocols eliminate the need for password hashing and remain secure as long as one of the servers remains honest. This concept has also been explored in connection with two-server password authenticated secret sharing (2PASS) protocols for which game-based and universally composable versions have been proposed. In contrast, universally composable PAKE protocols exist currently only in the single-server scenario and all proposed 2PAKE protocols use game-based security definitions. In this paper we propose the first construction of an universally composable 2PAKE protocol, alongside with its ideal functionality. The protocol is proven UC-secure in the standard model, assuming a common reference string which is a common assumption to many UC-secure PAKE and PASS protocols. The proposed protocol remains secure for arbitrary password distributions. As one of the building blocks we define and construct a new cryptographic primitive, called Trapdoor Distributed Smooth Projective Hash Function (TD-SPHF), which could be of independent interest
One-Round Protocol for Two-Party Verifier-Based Password-Authenticated Key Exchange
Abstract. Password-authenticated key exchange (PAKE) for two-party allows a client and a server communicating over a public network to share a session key using a human-memorable password only. PAKE protocols can be served as basic building blocks for constructing secure, complex, and higher-level protocols which were initially built upon the Transport Layer Security (TLS) protocol. In this paper, we propose a provablysecure verifier-based PAKE protocol well suited with the TLS protocol which requires only a single round. The protocol is secure against attacks using compromised server's password file and known-key attacks, and provides forward secrecy, which is analyzed in the ideal hash model. This scheme matches the most efficient verifier-based PAKE protocol among those found in the literature. It is the first provably-secure one-round protocol for verifier-based PAKE in the two-party setting
OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks
Password-Authenticated Key Exchange (PAKE) protocols allow two parties that only share a password to establish a shared key in a way that is immune to offline attacks. Asymmetric PAKE (aPAKE) strengthens this notion for the more common client-server setting where the server stores a mapping of the password and security is required even upon server compromise, that is, the only allowed attack in this case is an (inevitable) offline exhaustive dictionary attack against individual user passwords. Unfortunately, current aPAKE protocols (that dispense with the use of servers\u27 public keys) allow for pre-computation attacks that lead to the instantaneous compromise of user passwords upon server compromise, thus forgoing much of the intended aPAKE security. Indeed, these protocols use - in essential ways - deterministic password mappings or use random salt transmitted in the clear from servers to users, and thus are vulnerable to pre-computation attacks.
We initiate the study of Strong aPAKE protocols that are secure as aPAKE\u27s but are also secure against pre-computation attacks. We formalize this notion in the Universally Composable (UC) settings and present two modular constructions using an Oblivious PRF as a main tool. The first builds a Strong aPAKE from any aPAKE (which in turn can be constructed from any PAKE [GMR\u2706]) while the second builds a Strong aPAKE from any authenticated key-exchange protocol secure against reverse impersonation (a.k.a. KCI). Using the latter transformation, we show a practical instantiation of a UC-secure Strong aPAKE in the Random Oracle model. The protocol ( OPAQUE ) consists of 2 messages (3 with mutual authentication), requires 3 and 4 exponentiations for server and client, respectively (2 to 4 of which can be fixed-base depending on optimizations), provides forward secrecy, is PKI-free, supports user-side hash iterations, has a built-in facility for password-based storage and retrieval of secrets and credentials, and accommodates a user-transparent server-side threshold implementation
Recommended from our members
New Paradigms For Efficient Password Authentication Protocols
In the last few years the subject of password authenticated key exchange (PAKE) protocols, particularly in the client-server setting (called {\em asymmetric} PAKE, or aPAKE for short), has seen renewed interest due to the weaknesses of password protocols and the ongoing standardization effort at the Internet Engineering Task Force. In particular, due to vulnerabilities in PKI systems and TLS deployment, the standard PKI-based encrypted password authentication(or ``password-over-TLS") often leads to disclosure of passwords and increased exploitation of phishing techniques. Even when the password is decrypted at the correct server, its presence in plaintext form after decryption, constitutes a security vulnerability as evidenced by repeated incidents where plaintext passwords were accidentally stored in large quantities and for long periods of time even by security-conscious companies. Both problems of relying on PKI and server seeing password in clear are properly solved by PAKE protocols in the password-only setting.While many PAKE protocols have been proposed, an interesting question is that whether there is an efficiency limit (for computation or communication) for PAKE protocols, and how to achieve that. Attempting to push such limit, this dissertation proposes a new paradigm for building efficient (a)PAKE protocols. First we present a minimal-cost aPAKE compiler called KHAPE, which offers the best performance in terms of exponentiations with less than the cost of an exponentiation on top of an un-authenticated Diffie-Hellman key exchange. In the followup work we propose OKAPE, which further improve the round complexity of KHAPE to only two rounds of messages by leveraging a unilaterally authenticated key exchange. Since both KHAPE and OKAPE relies on Ideal Cipher (IC) Model, and existng construction for Ideal Cipher on groups all have drawbacks, we present a weakened version called Randomized Ideal Cipher (RIC) by giving up randomness of part of the ciphertext but still can be used as a drop-in replacement for IC applications. We proved that the modified 2-Feistel realizes this notion, which further improves the computation efficiency for our aPAKE compilers. Furthermore, by replacing IC with RIC in EKE protocol we get a PAKE compiler from any CPA-secure and anonymous KEM, which also opens the door for efficient lattice-based PAKE. Finally, we develop a PAKE-to-aPAKE compiler from KEM, which by embedding the previous KEM-based PAKE we can achieve an aPAKE compiler from KEM
Strong Asymmetric PAKE based on Trapdoor CKEM
Password-Authenticated Key Exchange (PAKE) protocols allow two parties that share a password to establish a shared key in a way that is immune to oine attacks. Asymmetric PAKE (aPAKE) [21] adapts this notion to the common client-server setting, where the server stores a one-way hash of the password instead of the password itself, and server compromise allows the adversary to recover the password only via the (inevitable) offline dictionary attack. Most aPAKE protocols, however, allow an attacker to pre-compute a dictionary of hashed passwords, thus instantly learning the password on server compromise. Recently, Jarecki, Krawczyk, and Xu formalized a Universally Composable strong aPAKE (saPAKE) [24], which requires the password hash to be salted so that the dictionary attack can only start after the server compromise leaks the salt and the salted hash.
The UC saPAKE protocol shown in [24], called OPAQUE, uses 3 protocol
ows, 3-4 exponentiations per party, and relies on the One-More Diffie-Hellman assumption in ROM.
We propose an alternative UC saPAKE construction based on a novel use of the encryption+SPHF paradigm for UC PAKE design [27, 20]. Compared to OPAQUE, our protocol uses only 2 flows, has comparable costs, avoids hashing onto a group, and relies on different assumptions, namely Decisional Diffie-Hellman (DDH), Strong Diffie-Hellman (SDH), and an assumption that the Boneh-Boyen function is a Salted Tight One-Way Function (STOWF). We formalize a UC model
for STOWF and analyze the Boneh-Boyen function as UC STOWF in the generic group model and ROM.
Our saPAKE protocol employs a new form of Conditional Key Encapsulation Mechanism (CKEM), a generalization of SPHF, which we call an implicit-statement CKEM. This strengthening of SPHF allows for a UC (sa)PAKE design where only the client commits to its password, and only the server performs an SPHF, compared to the standard UC PAKE design paradigm where the encrypt+SPHF subroutine is used symmetrically by both parties
- …